Bug 1149300 - (CVE-2019-11737) VUL-1: CVE-2019-11737: MozillaFirefox: Content security policy directives ignore port and path if host is a wildcard
(CVE-2019-11737)
VUL-1: CVE-2019-11737: MozillaFirefox: Content security policy directives ign...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Charles Robertson
Security Team bot
https://smash.suse.de/issue/241696/
CVSSv2:NVD:CVE-2019-11737:5.0:(AV:N/...
:
Depends on: 1149324
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-04 06:49 UTC by Alexander Bergmann
Modified: 2019-11-20 16:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-04 06:49:39 UTC
CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard

Reporter   Xiaoyin Liu
Impact     low

Description
If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015
https://bugzilla.redhat.com/show_bug.cgi?id=1748675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11737
Comment 1 Alexander Bergmann 2019-11-20 16:07:40 UTC
This issue is fixed in Firefox 69.

openSUSE uses different versions:

openSUSE:Leap:15.0 60.0esr
openSUSE:Leap:15.1 60.6.2esr
openSUSE:Leap:15.2 68.2.0esr
openSUSE:Factory   70.0.1

SLE is also using only ESR versions and not Firefox 69.

Closing bug as invalid.